I understand your struggle. I have worked with US and non-US orgs that are in similar boat.
In my experience this is often and at least in part a self-inflicted wound. As you describe your side of the business, it should not restricted, but it is. Maybe? Not enough detail to be certain.
What I see time and time again is business not willing to implement proper DLP, labeling and isolation of restricted things. Instead, they just throw everything into a single bucket, because it is quicker, faster, some of the risk and compliance is shifted to third party, and initially cheaper.
In short, a US, UK, Aus company that does government contracts will just force everyone into NOFORN, on-prem requirements (because DFARS, CMMC, CE+, Essential 8, or whatever). It is way quicker to do this for entire company than actually label data, isolate environment and resources, and so on.
In my experience this is often and at least in part a self-inflicted wound. As you describe your side of the business, it should not restricted, but it is. Maybe? Not enough detail to be certain.
What I see time and time again is business not willing to implement proper DLP, labeling and isolation of restricted things. Instead, they just throw everything into a single bucket, because it is quicker, faster, some of the risk and compliance is shifted to third party, and initially cheaper.
In short, a US, UK, Aus company that does government contracts will just force everyone into NOFORN, on-prem requirements (because DFARS, CMMC, CE+, Essential 8, or whatever). It is way quicker to do this for entire company than actually label data, isolate environment and resources, and so on.